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Abstract. One of the most widespread framework for the management 
of access-control policies is Administrative Role Based Access Control 
(ARB AC). Several automated analysis techniques have been proposed 
to help maintaining desirable security properties of ARBAC policies. 
One limitation of many available techniques is that the sets of users and 
roles are bounded. In this paper, we propose a symbolic framework to 
overcome this difficulty. We design an automated security analysis tech- 
nique, parametric in the number of users and roles, by adapting recent 
methods for model checking infinite state systems that use first-order 
logic and state-of-the-art theorem proving techniques. Preliminary exper- 
iments with a prototype implementations seem to confirm the scalability 
of our technique. 

1 Introduction 

Role Based Access Control (RBAC) [20] regulates access by assigning users to 
roles which, in turn, are granted permissions to perform certain operations. Ad- 
ministrative RBAC (ARBAC) [11] specifies how RBAC policies may be changed 
by administrators; thus providing support for decentralized policy administra- 
tion, which is crucial in large distributed systems. For the sake of simplicity, we 
consider the URA97 component of ARBAC97 [19], which is concerned with the 
management of the user-role assignment by administrative roles. The general- 
ization to other variants of ARBAC is left to future work. 

As it is almost impossible for a human to foresee the subtle interplays be- 
tween the operations carried out by different administrators because of the large 
number of possible intcrlcavings. Automated analysis techniques are thus of 
paramount importance to maintain desirable security properties while ensuring 
flexible administration. Several techniques have been proposed, e.g., [17,23,22]. 
In general, security analysis problems are undecidable but become decidablc un- 
der suitable restrictions. Indeed, the results of the analysis are valid under the 
assumptions that make them decidable. In this respect, one of the most severe 
limitations of the available techniques is that the number of users and roles is 
bounded, i.e. finite and known a priori. So, if one has proved that a certain prop- 
erty holds for, say, 1000 users and 150 roles and after some times, the number of 



users or roles is changed for some reason, then the result of the previous analysis 
no more holds and the automated technique must be invoked again. It would be 
desirable to have analysis techniques capable of certifying that a certain property 
holds regardless of the number of users or roles so to make their results more 
useful. 

In this paper, we propose a symbolic framework to specify ARBAC policies 
that enables the design of parametric (in the number of users and roles) security 
analysis techniques. The idea is to adapt recent techniques for model checking 
infinite state systems [14] that use decidable fragments of first-order logic and 
state-of-the-art theorem proving techniques to mechanize the analysis. The pa- 
per makes two contributions towards the goal of building parametric analysis 
techniques for ARBAC policies. The former is a framework for the uniform 
specification of a variety of ARBAC policies. In particular, we can describe 
security analysis problems where users and roles are finitely many but their exact 
number is not known a priori. The second contribution is a symbolic backward 
reachability procedure that can be used to solve an important class of se- 
curity analysis problems, called user-role reachability problems, that allow 
one to check if certain users can acquire a given permission or, dually, if a user 
can never be given a role which would give him or her a permission which is not 
supposed to have. The security analysis problem is iteratively reduced to a series 
of satisfiability checks in a decidable fragment of first-order logic. We use ideas 
from model theory and the theory of well-quasi-ordering [14, 5] for the proof 
of termination of the method, which turns out to be the most substantial part 
of the proof of correctness. The decidability of the parametric goal reachability 
problem is obtained as a corollary of the correctness of the procedure. 

Our decidability result is more general that those in [17, 23] which assume 
a bounded number of users and roles. A comparison with the result in [22] is 
more articulated. On the one hand, we are more general in allowing for a finite 
but unknown number of users and roles while in [22] the users are bounded and 
only the roles are parametric. On the other hand, we allow for only a restricted 
form of negation in the preconditions of certain administrative actions while [22] 
seems to allow for arbitrary negation. We plan to investigate how to extend our 
framework to allow for arbitrary negation in the near future while in this paper 
we focus on the core ideas. Finally, our procedure can consider several initial 
RBAC policies at the same time while [17, 23, 22] can handle only one. 



Plan of the paper. In Section 2, we formally define ARBAC policies with their 
user-role reachability problem. In Section 3, we present our symbolic framework 
for the specification of ARBAC polices. In Section 4, we design a symbolic anal- 
ysis procedures of ARBAC policies. In Section 5, we discuss some preliminary 
experiments with a prototype of our technique. Section 6 concludes and gives 
some hints about future work. The omitted proofs and some additional material 
can be found in the extended version of the paper [7] . 



2 RBAC and ARBAC policies 



We assume familiarity with ARBAC (see, e.g., [11]) and many-sorted first-order 
logic with equality (see, e.g., [13]). Consider a signature Sarbac containing 
the sort symbols User, Role, and Permission, countably many constant symbols 
e",e[,e? (for i > 0) of sort User, Role, and Permission, respectively, the predi- 
cate symbols y (written infix), pa, and ua of arity Role x Role, Role x Permission, 
and User x Role, respectively, and no junction symbols. A RBAC policy is a first- 
order structure M — (D, I) over this signature, where the interpretation of ua 
(in symbols, ua 1 ) is the user-role assignment relation, pa 1 is the permission-role 
assignment, and y 1 is the role hierarchy. Without loss of generality, we consider 
structures that interpret the sort symbols into (disjoint) sets of users, roles, and 
permissions, respectively. Our notion of state corresponds to that of miniRBAC 
policy in [23]. 

An ARBAC policy prescribes how the user-role assignment, the permission 
assignment, and the role hierarchy of RBAC policies may evolve. As in [23] and 
according to the URA97 administrative control model [19], in this paper, we 
assume that the interpretations of y and pa are constant over time and only 
that of ua may change. We also assume that y 1 is a partial order and refer to 
y 1 as the 'more senior than' relationship between roles. We abuse notation by 
denoting an interpretation M = (D,T) over Sarbac with the restriction s of 
I to ua when the rest of M is clear from the context and write y, pa, and ua 
instead of y 1 , pa 1 , and ua 1 (or s(ua)), respectively. 

Let s be a RBAC policy. A user u is an explicit member of a role r in 
s if (u,r) e s(ua) or, equivalently, s \= ua(u,r), where '|=' is the standard 
satisfaction relation of many-sorted first-order logic. Similarly, u is an implicit 
member of r in s if (u,r') € s(ua) for some r' which is more senior than r or, 
equivalently, s |= ua*(u,r) where ua*{u,r) abbreviates the formula 3r'.(r' y 
r A ua{u,r')). Thus, u is not a member of r (neither implicit nor explicit) if 
for all role r' more senior than r, we have (u, r') £ s(ua) or, equivalently, s \= 
Vr'.(r' y r => ^ua(u,r')). 

A can_assign action is a tuple (r a , C, r') such that r a , r' are roles and C is a 
(possibly empty) finite set of role expressions of the form r or r where r is a role. 
Sometimes, along the lines of [17], a set T of users can be attached to a can_assign 
action; in this case, users in T are assumed not to initiate any role assignment. 
A can-revoke action is a pair (r a ,r') such that r a ,r are roles. A user u satisfies 
a role expression p in a RBAC policy s if u is an implicit member of role r in s 
when p is r (or, equivalently, s |= ua*(u,r)) and u is not a member of role r in 
s when p is r (or, equivalently, s \= ->ua*(u,r)). A user u satisfies the finite set 
C = {pi, p n } of role expressions in a RBAC policy s if u satisfies pi in s, for 
each i = 1, n (n > 0) or, equivalently, s \= [-^]ua* (u, r\) A • • • A [^]ua*(u, r n ), 
where [-i]m*(u, r^) denotes wa*(u,r i ) when pi is rj and ^ua* (u, r^) when pi is 
rl. If n = 0, then C = and any user u always satisfies it. Let s, s' be two RBAC 
policies. A can_assign action (r a ,C, r') is enabled in s if there exist users u a ,u 
such that u a satisfies r a in s and u satisfies C in s and s' is obtained from s by its 
application if s'(ua) = s(ua)L){(u, r')}. A can_revoke action (r a , r') is enabled in 



s if there exists a user u a such that u a satisfies r a in s and s' is obtained from s 
by its application if s'(ua) = s(ua) \{(u, r')}. If a is a can_assign or a can_revoke 
action, we write ct(s, s') to denote the fact that the action is enabled in s and s' 
is obtained from s by applying a. The pair (So, A) is an ARB AC policy when So 
is a finite set of RBAC policies, called initial, and A is a finite set of can_assign 
and can_revoke actions. Let u be a user, i?P be a finite set of pairs (r,p) where 
r is a role and p a permission. The pair 7 := (u,RP) is called the goal of the 
user-role reachability problem for r := (So, A) which consists of answering the 
following question: is there a sequence so,---,s m of states such that so G So, for 
each i = 0, ...,m — 1, there exists a € A for which a(sj,s, + i), (m, r) G s m (ua), 
and (r,p) G pa for each pair (r,p) G i?P. If there is no such m > 0, then the goal 
7 is unreachable; otherwise, it is reachable and the sequence so,---,s m of states 
is called a run leading T from an initial RBAC policy s G So to a RBAC policy 
satisfying 7. 

Example 1. We formalize the running example in [17]. Let M. be an RBAC pol- 
icy such that User := {Alice, Bob, Carol}, Permission := {Edit, Access, View}, 
and Role := {Employee, Engineer, PartTime, FullTime, HumanResource, 
ProjectLead, andManager} . 3 Every user is a member of role Employee. Man- 
agers work full-time. Project leaders are engineers. Alice is an engineer who is 
part-time. All employees have access permission to the office. Thus, M is also 
such that y-.= {(Engineer, Employee), (PartTime, Employee), (FullTime, 
Employee), (ProjectLead, Engineer), (Manager, FullTime)}, pa :— {(Access, 
Employee), (View, HumanResource), (Edit, Engineer)}, ua := {(Alice, Part- 
Time), (Alice, Engineer), (Bob, Manager), (Carol, HumanResource)} . 

Examples of can.assign are: (Manager, {Engineer, FullTime}, ProjectLead), 
(HumanResource,®, FullTime), and (HumanResource,®, PartTime) . The 
meaning of the first action is that a manager can assign a full-time engineer 
to be a project leader; the second and the third ones mean that a user in the 
human-resources department can turn any user to be full-time or part-time. If 
we attach to the previous assignments, the singleton set T — {Carol} of users; 
then those actions cannot be performed by Carol even if she has the appropriate 
roles. Examples of cau_revoie actions are: {Manager, ProjectLead) , (Manager, 
Engineer) , (HumanResource, FullTime) , and (HumanResource, PartTime) . 
For instance, the meaning of the first is that a manager can revoke the role of 
project leader to any user; the meaning of the other actions is similar. □ 

3 Symbolic representation of ARBAC policies 

Our framework represents (i) sets of RBAC policies as the models of a first- 
order theory whose signature contains only constant and predicate symbols but 

3 For the sake of clarity, here and the other examples of the paper, we will abuse 
notation by using more evocative names for constants than e", a £ {u, r,p} (i > 0). 
Also, if constants have different identifiers, then they denote distinct elements. We 
use the same identifiers to denote constants and the elements they denote. 



no function symbols, (ii) initial RBAC policies and constraints as universal for- 
mulae, and goals of reachability problems as existential formulae, and (iii) ad- 
ministrative actions (such as the can_assign and can_revoke) as certain classes of 
formulae. The assumptions on the three components allow us to design a deci- 
sion procedure for the user-role reachability problem where the number of users 
and roles is finite but unknown. We now describe in details these assumptions. 

Formal preliminaries. A S-theory is a set of sentences (i.e. formulae where 
no free variables occur) over the signature S. A theory T is axiomatized by 
a set Ax of sentences if every sentence ip in T is a logical consequence of Ax. 
We associate with T the class Mod(T) of structures over S which are models 
of the sentences in T. A theory is consistent if Mod(T) 7^ 0. A Z'-formula ip 
is satisfiable modulo T iff there exists M € Mod(T) such that M satisfies <p 
(in symbols, M. \= if). A S- formula ip is valid modulo T iff its negation is 
unsatisfiable modulo T and it is equivalent modulo T to a Z'-formula ip' iff the 
formula (ip <p') is valid modulo T. As notational conventions, the variables 
u,r,p and their subscripted versions are of sort Users, Roles, and Permissions, 
respectively; u,r,p denote tuples of variables of sort Users, Roles, Permission, 
respectively; <p(x, n) denotes a quantifier-free formula where at most the variables 
in the tuple x may occur free and at most the predicate symbols in the tuple 
7r may occur besides those of the signature over which <p> is built. In this paper, 
we consider only consistent theories axiomatized by universal sentences of the 
form yx.p(x). In the examples, we will make frequent use of the theory of scalar 
values v\,...,v n (for n > 1) of type S, denoted with SV({vi, v n }, S), whose 
signature consists of the sort S, the constant symbols v\,...,v n of sort S, and it 
is axiomatized by the following (universal) sentences: Vi 7^ Vj for i,j = l,...,n, 
i 7^ j, and Vx.(x = v\ V • • • V x = v n ), where x is of sort S. 

3.1 Symbolic representation of RBAC policies 

Let Tf> i e be a Z^^-theory axiomatized by a finite set of universal sentences 
where Sji i e contains the sort Role, the predicate y, and countably many con- 
stants of sort Role but no function symbol. Let Tu ser be a ZV S er-theory ax- 
iomatized by a finite set of universal sentences where Suser contains the sort 
User, countably many constants of sort User but no function symbol. Let 
Tpermission be a S p erm i SS i on -theory axiomatized by a finite set of universal sen- 
tences where S permission contains the sort Role and countably many constants 
of sort Permission but no function symbol. We emphasize that the signatures of 
these three theories may contain finitely many predicate symbols besides those 
mentioned above but no function symbols. 

Example 2. For the version of ARBAC we are considering, the theory T Ro i e 
can be axiomatized by the following three universal sentences: Vr.(r y r), 
Vri,r 2 .((ri y r 2 A r 2 h ri) n = r 2 ), and Wi, r 2 , r 3 .((ri y r 2 A r 2 h r 3 ) 
T \ h rs). This means that y is interpreted as a partial order by the structures in 
Mod{Tp i e ). The set of basic roles and their positions in the partial order can be 



defined, when considering Example 1, as the following sentences: Engineer >; 
Employee, PartTime >; Employee, FullTime >z Employee, ProjectLead >z 
Engineer, and Manager y FullTime. The interested reader can see [7] for a 
discussion on how to formalize ARBAC with parametric roles. 

For the theory Tu ser , we have a similar flexibility. For example, if there is 
only a finite and known number n > 1 of users, say e", e™, then we can use the 
theory of a scalar value SV({ei, e^}, User). Another situation is when we have 
a finite but unknown number of users whose identifiers are, for example, linearly 
ordered (think of the integers with the usual order relation 'less than or equal'). 
In this case, we add the ordering relation < of arity User x User to Suser and 
the following universal sentences constrain < to be a linear order: \/u.(u < u), 
Vtii,U2, u 3 .((ui < u 2 A u 2 < u 3 ) ui < us), Vtii, u 2 .((ui < u 2 A u 2 < iti) => 
u\ = u 2 ), and \/ui,u 2 .{u\ < u 2 V u 2 < u±). IfTuser — 9, then the identifiers e" of 
users can be compared for (dis-) equality and there is again a finite but unknown 
number of users. 

Similar observations also hold for Tp errmss i on . Often, there is only a finite 
and known number of permissions that can be associated to roles. For example, 
continuing the formalization of Example 1, recall that we have only three per- 
missions: Access, View, and Edit. So, Tp erm i SS i on := SV({ Access, View, Edit}, 
Permission). □ 

As shown by the example above, the flexibility of our approach allows us to go 
beyond standard ARBAC policies by specifying the domains of users, roles, and 
permissions enjoying non-trivial algebraic properties which are useful to model, 
e.g., property-based policies [16]. We leave a detailed analysis of the scope of 
applicability of our framework to future work (as a first step in this direction, 
see [6]). 

Now, we define Sarbac ■= ^Roie U S User U S Permtsston U {pa,ua} and let 
T arb Ac ■= T Ro i e UT User UT Permission U PA, where PA is a set of (universal) sen- 
tences over SroIc U £ Permission U {pa} characterizing the permission assignment 
relation. 

Example 3. Consider again Example 1. The permission-role assignment is ax- 
iomatized by PA := {ip,r.{pa{p,r) ((p = Access A r = Employee) V (p = 
View A r — HumanResource) V (p = Edit A r = Engineer))}. □ 

Observe that a structure in ModiTARBAc) over ^arbac is a RBAC policy. 

3.2 Symbolic representation of initial RBAC policies, constraints, 
and goals 

Since no axiom involving ua is in Tarbac, the interpretation of ua is arbitrary. 
We consider the problem of how to constrain the interpretation of ua by means 
of an example. 



Example 4- We specify the user-role assignment of Example 1. Let Tu ser ,Tn i e , 
and T Permission be as in Example 3. Consider the formula In(ua): 

Vu, r.(ua(u, r) ((u = Alice Ar = PartTime) V (u = Alice A r = Engineer) V 
(u = Bob A r = Manager) V (u = Carol A r — Human Re source))). 

(Notice that In(ua) can be seen as the Clark's completion [10] of the facts: 
ua(Alice, PartTime), ua(Alice, Engineer), ua(Bob, Manager) , and ua(Carol, 
HumanResource) .) It is easy to see that the interpretation considered in Ex- 
ample 1 satisfies In{ua). □ 

Since the formula In(ua) used in the example above belongs to the class of 
universal sentences containing the state variable ua, we will use such a class of 
formulae, and denote it with -formulae, to symbolically specify initial RBAC 
policies. 

Example 5. Although in Example 4 the numbers of users and roles are fixed 
to certain values, our framework does not require this. For example, recall the 
discussion in Example 2 and take Tjj ser — 0, Tn a i e — 0. Then, consider the 
following V-formula: \/u,r.(ua(u,r) <^=> (u ^ eft A r ^ eg)). A RBAC policy s 
satisfying the formula is such that (eft, eg) s(ua) and (ef, ep G s(ua) for every 
pair (i,j) of natural numbers with i,j ^ 0. Thus, there is no bound on the 
number of pairs (ef, ep in s(ua). □ 

Notice that V-formulae are not only useful to describe initial RBAC poli- 
cies but also to express constraints on the set of states that can_assign and 
camrevoke actions must satisfy. As an example, consider RBAC policies with 
separation of duty constraints, i.e. a user cannot be assigned two given roles. 
This can be enforced by using static mutually exclusive roles (SMER) con- 
straints that require pairs of roles with disjoint membership (see, e.g., [23]). 
Formulae representing SMER constraints are V-formulae with the following form: 
Vu.^(ua(u, e\) A ua(u, ep), for i, j > and i ^ j. Notice that other kinds of con- 
straints can be specified in our framework as long as they can be expressed as 
V-formulae. 

Example 6. Let us consider again the situation described in Example 1. One 
may be interested in knowing if user Alice can take role FullTime and have 
permission Access. This property can be encoded by the following formula: 

3u, r,p.(ua(u, r) A pa(p, r) A u = Alice A r > FullTime hp — Access). □ 

Generalizing this example, we introduce 3-formulae of the form 3u,r,p.ip(u, r,p). 

3.3 Symbolic representation of administrative actions 

A policy literal is either ua(u,r), ->ua(u,r), a literal over Suser (e.g., u — ef 
or u ^ ef for i > 0), or a literal over SRoie (e.g., r = ej, r > e^, or their 
negations for j > 0). A policy expression is a finite conjunction of policy literals. 



Administrative actions are represented by instances of formulae of the following 
form: 



Bu,r,u 1 ,r 1 ,r 2 , -,r k . (C(u,r,u 1 ,r 1 ,r 2 , -,r k )A ua' = ua@ (ui,e[)) (1) 
3u,r,u\. (C(u,r,u\) A ua' = ua 9 (ui, e\)) (2) 

where k, i > 0, C is a policy expression called the guard of the transition, primed 
variables denote the value of the state variable ua after the execution of the 
transition, ua (u, e\) abbreviates 

Aw, v.(if (w = u A v = e\) then b else ua(w, v)), 

and b is true when is © and it is false when is 0. 4 It is possible to symbol- 
ically represent can_assign actions as formulae of the form (1) and can_revoke 
actions as formulae of the form (2). Wc illustrate this with an example. 

Example 7. We specify in our framework the administrative actions given in Ex- 
ample 1. The can-assign action (Manager, {Engineer, FullTime}, ProjectLead) 
corresponds to the following instance of (1): 

(ua(u, r) A r y Manager A u ^ Carol A \ 
ua(u\, n) A n >: Engineer A ua(ui,r 2 ) Ar 2 h FullTimeA 
ua' — ua® (tii, ProjectLead) J 

Two observations are in order. First, the literal u ^ Carol disables the transition 
when u is instantiated to Carol. This allows us to model the set T = {Carol} 
of users that are prevented to execute assignments. Second, by simple logi- 
cal manipulations and recalling the definition of the abbreviation ua* intro- 
duced in Section 2, it is possible to rewrite the guard of the transition as 
ua*(u, Manager) Aua*(ui, Engineer) Aua*(ui,FullTime)Au ^ Carol. The sim- 
pler can-assign rules {HumanResource, 0, FullTime) and (HumanResource, 0, 
PartTirae) can be specified by the following two instances of (1): 



3u, r, Ui 
3m, r, Mi. 



ua(u, r) A r > HumanResource Am / Carol A 
ua' = ua® (u\, FullTime) 

ua(u, r) A r y HumanResource A u ^ Carol A 
ua' = ua (tii, PartTime) 



Following [17], we call AATU (an abbreviation for 'assignment and trusted 
users') the set containing the above three formulae. 

The can_revoke action (Manager, ProjectLead) is formalized by the follow- 
ing instance of (2): 3m, r.(ua(u, r)Ar y Manager A ua' = uaQ(u\, ProjectLead)). 
The remaining three can_revoJces can be obtained from the formula above by 
simply replacing Manager and ProjectLead with Manager and Engineer for 



4 We use A-notation here for the sake of readability only. The same formulae can 
be easily recast in pure first-order logic. For example, (1) can be written as 
3u, r, n, rk-{C(u, r, n, nt) A Vkj, r.(ua'(w, r) ((w = u Ar = e r ) V ua(w, r))). 



{Manager, Engineer) , with HumanResource and FullTime for (HumanResource, 
FullTime), and with HumanResource and PartTime for (HumanResource, 
PartTime). □ 



Notice that the guards of the transitions of the form (1) do not correspond 
exactly to those introduced in Section 2. On the one hand, policy expressions 
give us the possibility to require a user u to be an explicit member of a certain 
role r in the guard of transition (by writing ua*(u, r)) while preconditions of 
a can_assign can only require a user to be an implicit member of a role (i.e. 
ua*(u, r)). On the other hand, it is not possible, in general, to express ~^ua*(u, r) 
(i.e. u is neither an explicit nor an implicit member of r), although it is possible 
to use -^ua{u,r) (i.e. u is not an explicit member of r). This is so because to 
express ~^ua*(u,r), a universal quantification is required; recall from Section 2 
that -*ua*(u,r) abbreviates Vr'.(r' >; r => ^ua(u,r)). In other words, only a 
limited form of negation can be expressed in the guards of our formalization of 
a can_assign action. This simplifies the technical development that follows, in 
particular the proof of termination of the procedure used to solve the user-role 
reachability problem (see Section 4 for details). We plan to adapt a technique 
used in infinite state model checking for handling global conditions to allow 
^m* (u, r) in the guards of transitions (see, e.g., [4]) but leave this to future work. 
Here, we observe that in many situations of practical relevance, it is possible to 
overcome this difficulty. For example, when there are only finitely many roles 
ranging over a set R, it is possible to eliminate the hierarchy as explained in [21] 
so that the framework proposed in this paper applies without problems. It is 
worth noticing that although the set of roles has been assumed to be bounded, 
our framework supports the situation where the set of users can be finite but its 
cardinality is unknown. 



3.4 Reachability and satisfiability modulo Tarbac 

At this point, it should be clear that the (algebraic) structures of users, roles, 
and permission can be specified by suitable theories; that we can symbolically 
represent RBAC policies and goals by using V-formulae and 3-formulae, respec- 
tively, can_assign actions by formulae of the form (1), and can_revoke actions 
by formulae of the form (2). As a consequence, we can rephrase the user-goal 
reachability problem introduced in Section 2 as follows. 

Let Tarbac be a E ARBAC-theory given as described above and specifying 
the structure of users, roles, permission, role hierarchy, and the permission-role 
relation. If r := (So, A) is an ARBAC policy together with a set C of constraints 
on the set of states that the actions of the system must satisfy (e.g., SMER), then 
derive the associated symbolic ARBAC policy r s := (In(ud),Tr, C) as explained 
above, where In is a V-formula representing the initial set Sq of RBAC policies, 
Tr is a finite set of instances of (1) or of (2) corresponding to the actions in A, 
and C is a finite set of V-formula representing constraints in C. Furthermore, let 



7s be an 3-formula of the form 



3u 1 ,r 1 ,p 1 ,...,u n ,r n ,p n . f\ (ua(u il r^) A rj X e£. Ap, = ), (3) 

called a symbolic goal and corresponding to a goal i?P :— {(ej. , ) | i = 1, n}, 
where txG {=,h}- Then, it is easy to see that the user-role reachability problem 
for r with RP as goal is solvable iff there exists a natural number I > such 
that the formula 

£ 

In(ua ) A f\(i(a,i) A r{ua t , ua l+1 ) A t(a,+i)) A J s (uae) (4) 

i=0 

is satisfiable modulo Tarbac ? where r is the disjunction of the formulae in Tr, 
and i is the disjunction of those in C. Notice that the (big) conjunction over t 
with In in (4) can be seen as a characterization of the set of states (forward) 
reachable from the initial set of states. Symmetrically (and more interestingly for 
the rest of this paper), the (big) conjunction over I with 7 S in (4) characterizes 
the set of states backward reachable from the goal states. We observe that when 
I = 0, no actions must be performed and already some of the states in In satisfies 
7 S , thus, formula (4) simplifies to In(uao) A i(uoo) A 7s(wao). 

Example 8. We illustrate the check for satisfiability of the formula (4) for I = 
by reconsidering the situation described in Example 6. The problem was to 
establish if the formula In(ua) of Example 4 and the goal formula of Example 6 
are satisfiable modulo the theory Tarbac in Example 3. We assume that the 
set of constraints of the symbolic ARB AC polices is empty. In this context, the 
formula (4) above can be written as follows: 



( {u — Alice A r = PartTime) V \ 

(u = Alice A r — Engineer) V 
(u = Bob Ar = Manager) V 
\(u = Carol A r = HumanResource) J 

3ui, ri,p\.(ua(ui, n) A pa(pi,r\) A u\ = Alice A n >z FullTime A p = Access) 



PO := Vu,r.(ua(u,r) 4=> 



where the existentially quantified variables in the goal have been renamed for 
clarity. The problem is to establish the satisfiability of PO modulo the theory 
Tarbac m Example 3. As it will be seen below, there exists an algorithm capable 
of answering this question automatically. For PO, the algorithm would return 
'unsatisfiablc,' entitling us to conclude that the set of initial states considered in 
Example 4 do not satisfy the goal of allowing Alice, who is a full-time employee, 
to get access to a certain resource. □ 

If we were able to automatically check the satisfiability of formulae of the form 
(4) , an idea to solve the user-role reachability problem for ARB AC policies would 
be to generate instances of (4) for increasing values of I. However, this would not 
give us a decision procedure for solving the goal reachability problem but only 



function B Reach (P : (In,Tr,C), 7 : 3-formula) 

1 P <— 7; B <— false; t <— V te7V *; «■ <— A ie c *5 

2 while (lAPA is satisfiable modulo Tarbac) do 

3 if (In A P is satisfiable modulo Taabac) 

then return reachable; 

4 P< — PVB; 

5 P< — Pre(r,P); 

6 end 

7 return unreachable; 

Fig. 1. The basic backward reachability procedure 

a semi-decision procedure. In fact, the method terminates only when the goal is 
reachable from the initial state, i.e. when, for a certain value of £, the instance of 
the formula (4) is unsatisfiable modulo Tarbac- When, instead, the goal is not 
reachable, the check will never detect the unsatisfiability and we will be forced 
to generate an infinite sequence of instances of (4) for increasing values of I. In 
other words, the decidability of the satisfiability of (4) modulo Tarbac is only 
a necessary condition for ensuring the decidability of the user-role reachability 
problem. Fortunately, is possible to stop enumerating instances of (4) for a cer- 
tain value I of i when the formula characterizing the set of reachable states for 
£ = 1+1 implies that characterizing the set of reachable states for I = 1; i.e. we 
have detected a fixed-point. We explore this idea in the following section. 

4 Symbolic analysis of ARBAC policies 

A general approach to solve the user-role reachability problem is based on com- 
puting the set of backward reachable states. It is well-known that the com- 
putation of sets of backward (rather than forward) reachable states is easier 
to mechanize. For n > 0, the n-pre-image of a formula K(ua) is a formula 
Pre n (r, K) recursively defined as follows: Pre (r, K) := K and Pre" +1 (r, K) := 
Pre(r, Pre n (r, K)), where 5 

Pre(r, K) := 3ua! .{t{ucl, ua!) A K{ua')). (5) 

The formula Pre™ (r, 7) describes the set of states from which it is possible to 
reach the goal 7 in n > steps. At the n-th iteration of the loop, the back- 
ward reachability algorithm depicted in Figure 1, stores the formula Pre"(r, 7) 
in the variable P and the formula BR n {r, 7) := V™=o P ret { T , l) (representing 
the set of states from which the goal 7 is reachable in at most n steps) in 

5 In (5), we use a second order quantifier over the relation symbol ua, representing the 
state of the system. This should not worry the reader expert in first-order theorem 
proving since a higher-order feature is only used to give the definition of pre-imagc. 
We will see that we can compute a first-order formula logically equivalent to (5) so 
that only first-order techniques should be used to mechanize our approach. 



the variable B. While computing BR n {r, 7), BReach also checks whether the 
goal is reachable in n steps (cf. line 3, which can be read as In A Pre n (r,j) 
is satisfiable modulo Tarbac) or a fixed-point has been reached (cf. line 2, 
which can be read as -i((t A BR n {r, 7)) => i?i?" _1 (r, 7)) is unsatisfiable modulo 
Tarbac or 7 equivalently, that ((t A BR n (r,j)) => Bi? n_1 (r, 7)) is valid modulo 
Tarbac)- Notice that i?i?" _1 (r, 7) BR n (r,-f) is valid by construction; thus, 
if {{Lf\BR n {T, 7)) =>■ B.R™ _1 (t, 7)) is a logical consequence of Tarbac, then also 
((i A Si?"(r,7)) BR n ~ 1 (T, r y)) is so and a fixed-point has been reached. The 
invariant t is conjoined to the set of backward reachable states when performing 
the fixed-point check as only those states that also satisfies the constraints are 
required to be considered. When BReach returns unreachable (cf. line 7), the 
variable B stores the formula describing the set of states which are backward 
reachable from 7 which is also a fixed-point. Otherwise, when it returns reachable 
(cf. line 3) at the n-th iteration, there exists a run of length n that leads the AR- 
BAC policy from a RBAC policy in In to one in 7. We observe that for BReach 
to be an effective (possibly non-terminating) procedure, it is mandatory that (i) 
the formulae used to describe the set of backward reachable states are closed 
under pre-image computation and (ii) both the satisfiability test for safety (line 
3) and that for fixed-point (line 2) are effective. 

Regarding (i), it is sufficient to prove the following result. 

Property 1. Let K be an 3-formula. If r is of the form (1) or (2), then Pre(r, K) 
is equivalent (modulo Tarbac) to an effectively computable 3-formula. 

Proof. Let K{ua) := 3u, r .7(6, r, ua(u, f)), where 7 is a quantifier-free formula. 
By definition, Pre(r, K) is 3ua' .(r(ua, ua') AK(ua')) and there are two cases to 
consider. The former is when r is of the form (1). In this case, 3ua' .(r(ua, ua') A 
K(ua')) is equivalent to 



by simple logical manipulations and recalling the definition of K. In turn, this 
can be expanded to 

3u,r,u 1 ,r 1 ,r 2 , ...,r k .(C(u,r,u 1 ,r 1 ,r 2 , ■■■,r k )h 

3u,r.^(u,r,(Xw,r.(if (w = uAr = e r ) then true else ua(w,r)))(u,f))) 

by recalling the definition of ©. It is possible to eliminate the A-expression by 
observing that each of its occurrence will be applied to a pair of existentially 
quantified variables from u, r so that /^-reduction can be applied. After this 
phase, the 'if-then-else' expressions can be eliminated by using a simple case- 
analysis followed by the moving out of the existential quantifiers that allows 
us to obtain an 3-formula. This concludes the proof of this case. The second 
case, i.e. when r is of the form (2), is omitted because almost identical to the 
previous. □ 



Observe also that Pre(\J™ =1 n, K) is equivalent to V/"=i Pre(T i} K) for n of forms 
(1) and (2), for i = 1, n. 




Example 9. To illustrate Property 1, we consider one of the transitions written 
in Example 7 and the goal in Example 6. We compute the pre-image w.r.t. the 
second transition in AATU (where HR stands for HumanResource and FT for 
FullTime), i.e. 

3u, r,p.(ua! (u, r) A pa(p, r) A u = Alice Ar^ FT A p — Access) A 
3u\,ri,U2.(ua(ui,ri) A n = HR A u\ ^ Carol A m' — ua(B (u 2 , PT)) , 

where uo! is implicitly existentially quantified. By simple logical manipulations, 
we have 

3m, r,p, Ui,ri,U2-(pa(p, r) A (if u = u 2 A r — FT then true else ua(u, r)) A 
u = Alice A r >z FT A p — Access A ua(ui, r\) A r\ = HR A u± ^ Carol), 

which, by case analysis and some simplification steps, can be rewritten to 

Ekt, r,p, ui,ri,U2-(pa(p, r) A (r = FT A «2 = Alice Ap = Access A 

ua(u\,ri) A ri = -ffi? Ami ^ Carol) V 
(pa(p, r)Ati/u 2 A m(m, r) A u = AZice A r >; FT Ap = Access A 

ua(ui,ri) A r 1 = HR A u x ^ Carol) V 
(pa(p, r) A r ^ FT A ua(u, r) A u = Alice A r >z FT A p — Access A 

ua(ui,r\) Ar± = HR A u\ ^ Carol)) , 

which is an 3-formula according to Property 1. □ 

Concerning the decidability of the satisfiability tests for safety and fixed-point 
in the backward reachability algorithm in Figure 1 (point (ii) above) , we observe 
that the formulae at lines 2 and 3 can be effectively transformed to formulae 
in the form 3xiy.tp(x,y,ua) where x and y are disjoint, which belong to the 
Bernays-Schonfinkel-Ramsey (BSR) class (see, e.g., [18]). To see how this is pos- 
sible, let us consider the formulae at line 2. This is the conjunction of a V-formula 
(t), an 3-formula (as discussed above, the variable P stores Pre n (r,-f), which 
by Property 1 is an 3-formula), and another V-formula (as discussed above, the 
variable B stores Vi=o P r ^ l { T , l) whose negation is a conjunction of V- formulae 
by Property 1, which is a V-formula). By moving out quantifiers (which is always 
possible as quantified variables can be suitably renamed), it is straightforward 
to obtain a BSR formula. Now, let us turn our attention to the formula at line 
3. It is obtained by conjoining a V-formula (In is so by assumption) and an 
3-formula (stored in the variable P, see previous case). Again, by simple logical 
manipulations, it is not difficult to obtain a formula in the BSR class. We also 
observe that checking the satisfiability of BSR formulae modulo Tarbac can 
be reduced to checking the satisfiability of formulae in the BSR class since all 
the axioms of Tarbac are universal sentences, i.e. BSR formulae. Collecting all 
these observations, we can state the following result. 

Property 2. The satisfiability tests at lines 2 and 3 of the backward reachability 
procedure in Figure 1 are decidable. 



This property is a corollary of the decidability of the satisfiability of the BSR 
class (see, e.g., [18]). Example 9 above contains an illustration of a satisfiability 
test to which Property 2 applies. 

4.1 Termination 

The closure under pre-image computation (Property 1) and the decidability of 
the satisfiability checks (Property 2) guarantee the possibility to mechanize the 
backward reachability procedure in Figure 1 but do not eliminate the risk of 
non-termination. There are various sources of diverge. For example, the existen- 
tial prefix of a pre-image is extended at each pre-image computation with new 
variables as shown in the proof of Property 1. Another potential problem is that 
the fixed-point could not be expressed by using disjunctions of 3-formulae (ac- 
cording to line 4 in Figure 1) even if it exists so that the procedure is only able 
to compute approximations and thus never terminates. To show that both prob- 
lems can be avoided and that the procedure in Figure 1 terminates, we follow the 
approach proposed in [14, 5] for proving the termination of backward reachabil- 
ity for certain classes of infinite state systems. We introduce a model-theoretic 
notion of certain sets of states, called configurations, which are the semantic 
counter-part of 3-formulae, and then define a well-quasi-order on them: this, 
according to the results in [5], implies the termination of the backward reach- 
ability procedure. For lack of space, the full technical development is omitted 
and can be found in [7]; here, we only sketch the main ideas. We also point out 
that this result can be seen as a special case of that in [14] , developed in a more 
general framework that allows for the formalization and the analysis of safety 
properties for concurrent, distributed, and timed systems as well as algorithms 
manipulating arrays. However, we believe worthwhile to prove termination for 
the procedure presented in this paper (along the lines of [14]) as some technical 
definitions become much simpler. 

A state of the symbolic ARB AC policy r := (In, Tr, C) is a structure M. € 
Mo<1(Tarbac)i i- e - it is an RBAC policy belonging to a certain class of first- 
order structures. A configuration of r is a state M. such that the cardinality of 
the domain of M. is finite. Intuitively, a configuration is a finite representation 
of a possibly infinite set of states that "contains at least the part mentioned 
in the configuration." The following example can help to grasp the underlying 
intuition. 

Example 10. As in Example 5, let Tjj ser — 0, TR / e = 0. Consider the El- 
formula: 3u, r.(ua(u, r)AM = eJ[Ar = eg). There is no bound on the number of 
pairs (e",e£) in a RBAC policy s satisfying the 3-formula above provided that 
(eg, eg) € s(ua). Our procedure for the reachability problem considers (only) 
those RBAC policies s of the form s(ua) — {(eg , eg)} U A where A is a (possibly 
empty) set of pairs (e™, e r k ) with i,j ^ 0. In other words, the procedure considers 
all those configurations which contain at least the pair (eft, eg) mentioned in the 
3-formula above plus any other (finite) set A of pairs. □ 



The idea that a configuration represents a (possibly infinite) set of RBAC poli- 
cies sharing a common (finite) set of user-role assignments can be made precise 
by using the notion of partial order. A pre-order (P,<) is the set P endowed 
with a reflexive and transitive relation. An upward closed set U of the pre- 
order (P,<) is such that U C P and if p £ U and p < q then q G U. A 
cone is an upward closed set of the form ^p = {q^P\p<q}- We define a 
pre-order on configurations as follows. Let M. and M' be configurations of _T; 
M. < M! iff there exists an embedding from Ai to M 1 . Roughly, an embedding 
is a homomorphism that preserves and reflects relations (see [7] for a formal 
definition) . A configuration is the semantic counter-part of an 3-formula. Let 
[[K]} := {M € Mod(T ARBA c) I M |= K}, where K is an 3-formula. 

Lemma 1. The following facts hold: (i) for every 3-formula K , the set [[K]} is 
upward closed and (ii) [[Ki]] C [[K2]] iff {K\ => K 2 ) is valid modulo Tarbac, 
for every pair of 3-formulae Ki,K 2 - 

An upward closed set U is finitely generated iff it is a finite union of cones. 
A pre-order (P,<) is a well-quasi-ordering (wqo) iff every upward closed sets 
of P is finitely generated. This is equivalent to the standard definition of wqo, 
see [14] for a proof. The idea is to use only finitely generated upward closed 
sets as configurations so that their union is also finitely generated and we can 
conclude that the backward reachability procedure in Figure 1 is terminating 
because of the duality between configurations and 3-formulae (Lemma 1). 

Theorem 1. The backward reachability procedure in Figure 1 terminates. 

As a corollary, we immediately obtain the following fact. 

Theorem 2. The user-role reachability problem is decidable. 

This result is more general that those in [17, 23] which assume a bounded number 
of users and roles. We are more general than [22] in allowing for a finite but 
unknown number of users and roles while in [22] the users are bounded and only 
the roles are parametric. However, we allow for only a restricted form of negation 
in the preconditions of can_assign actions while [22] seems to allow for arbitrary 
negation. Moreover, our procedure can consider several initial RBAC policies at 
the same time while [17, 23, 22] can handle only one. 

Finally, notice that we can reduce other analysis problems (e.g., role contain- 
ment) to user-role reachability problems and thus show their decidability. For 
lack of space, this can be found in [7]. 

5 Preliminary experiments 

We briefly discuss some experiments with a prototype implementation of the 
symbolic reachability procedure in Figure 1 that we call ASSA, short for Au- 
tomated Symbolic Security Analyser. We consider the synthetic benchmarks 
described in [23] and available on the web at [2] whereby both the number of 
users and roles is bounded. We perform a comparative analysis between ASSA 
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goal size = 3 



goal size = 4 




Fig. 2. Comparison between ASSA and Stoller on some benchmarks from [23, 2] 



and the state-of-the-art tool in [23], called Stoller below. Our findings shows 
that ASSA scales better than Stoller on this set of benchmarks; the experiments 
were conducted on an Intel(R) Core(TM)2 Duo CPU T5870, 2 GHz, 3 GB RAM, 
running Linux Debian 2.6.32. 

A client-server architecture is the most obvious choice to implement the pro- 
posed symbolic backward reachability procedure. The client generates the se- 
quence of formulae representing pre-images of the formula representing the goal. 
In addition, the client is also assumed to generate the formulae characterising 
the tests for fix-point or for non-empty intersection with the initial set of poli- 
cies. The server performs the checks for satisfiability modulo Tarbac and can 
be implemented by using state-of-the-art automated deduction systems such as 
automated theorem provers (in our case, SPASS [3]) or SMT solvers (in our case, 
Z3 [1]). Although these tools are quite powerful, preliminary experiments have 
shown that the formulae to be checked for satisfiability generated by the client 
quickly become very large and are not easily solved by available state-of-the-art 
tools. A closer look at the formulae reveals that they can be greatly simplified 
with substantial speed-ups in the performances of the reasoning systems. To 
this end, some heuristics have been implemented whose description is not possi- 
ble here for lack of space; the interested reader is pointed to [6] for a complete 
description and more experiments. 



We consider the randomly generated benchmarks in [2] , where only the user- 
role assignment relation ua can be modified by can_assign or can_revoke actions 
(as assumed in Section 2). These benchmarks were generated under two addi- 
tional simplifying assumptions: (i) a fixed number of users and roles, and (ii) 
absence of role hierarchy (this is without loss of generality under assumption (i) 
as observed in [23]). Besides the number of roles, one of the key parameter of the 
benchmarks (according to the parametrised complexity result derived in [23]) is 
the goal size, i.e. the number of roles in the set RP of a goal reachability prob- 
lem (as defined at the end of Section 2) or, equivalently, the number of constants 
of sort Role occurring in the symbolic goal (3) of Section 3.4. The benchmarks 
are divided in five classes. The first and the second classes were used to evalu- 
ate the worst-case behavior of forward search algorithms (i.e. when the goal is 
unreachable) described in [23]. Our backward procedure (almost) immediately 
detects unreachability by realizing that no action is backward applicable. The 
fourth and fifth classes of benchmarks fix the goal size to one while the values of 
other parameters (e.g., the cardinality of the set R of roles) grow. In particular, 
the fourth class was used to show that the cost of analysis grows very slowly 
as a function of the number of roles while the fifth aimed to compare the per- 
formances of an enhanced version of the forward and the backward algorithms 
of [23]. For both classes, ASSA confirms that its running time grows very slowly 
according to the results reported in [23]. However, ASSA is slightly slower than 
Stoller because of the overhead of invoking automated reasoning systems for 
checking for fix-points instead of the ad hoc techniques of [23] . The most inter- 
esting class of problems is the third, which was used to evaluate the scalability 
of the backward reachability algorithm of [23] with respect to increasing val- 
ues of the goal size 1,2,3, and 4. Figure 2 shows four scatter plots for values 
1,2,3, and 4 of the goal size: the X and Y axes report the median times of 
ASSA and Stoller, respectively (logarithmic scale), to solve the 32 reachability 
problems in the third class of the benchmarks. A dot above the diagonal means 
a better performance of ASSA and viceversa; the time out was set to 1, 800 sec. 
Although, both Stoller and ASSA were able to solve all the problems within the 
time-out, our tool is slower for goal sizes 1 and 2, behaves as Stoller for goal 
size 3, but outperforms this for goal size 4. These results are encouraging and 
seem to confirm the scalability of our techniques. For a detailed description of 
the implementation of ASSA and a more comprehensive experimental evaluation 
(confirming these results), the reader is pointed to [6]. 

6 Discussion 

We have proposed a symbolic framework for the automated analysis of ARBAC 
policies that allowed us to prove the decidability of the parametric reachability 
problem. We used a decidable fragment of first-order logic to represent the states 
and the actions of ARBAC policies to design a symbolic procedure to explore 
the (possibly infinite) state space. Preliminary results with a prototype tool 
implementing the backward reachability procedure in Figure 1 are encouraging. 



A detailed description of the implementation of the prototype and an extensive 
experimental analysis is available in [6]. 

There are two main directions for future work. First, it would be interesting 
to study to what extent other variants of ARB AC can be formalized in our frame- 
work, e.g., for UARBAC [16]. Second, we want to adapt techniques developed in 
the context of infinite state model checking to eliminate universal quantifiers in 
guards of administrative actions (called global conditions, see, e.g., [4]), to allow 
for unrestricted negation in can .assigns. 

Acknowledgements. This work was partially supported by the "Automated Se- 
curity Analysis of Identity and Access Management Systems (SIAM)" project 
funded by Provincia Autonoma di Trento in the context of the "team 2009 - 
Incoming" COFUND action of the European Commission (FP7), the FP7-ICT- 
2007-1 Project no. 216471, "AVANTSSAR: Automated Validation of Trust and 
Security of Service-oriented Architectures," and the PRIN'07 Project 20079E5KM8 
(Integrating automated reasoning in model checking: towards push-button for- 
mal verification of large-scale and infinite-state systems) funded by MIUR. Francesco 
Alberti must be thanked for his effort in implementing and benchmarking ASSA. 

References 

1. http : //research. microsoft . com/ en-us/um/redmond/projects/z3. 

2. http://www.cs.stonybrook.edu/ stoller/ccs2007. 

3. http://www.spass-prover.org. 

4. P. A. Abdulla, G. Delzanno, and A. Rezine. Parameterized verification of infinite 
state processes with global conditions. In Proc. of Computer Aided Verification 
(CAV), volume 4590 of LNCS, pages 14-157, 2007. 

5. P. A. Abdulla and B. Jonsson. Model checking of systems with many identical 
timed processes. Theoretical Computer Science, pages 241-264, 2003. 

6. F. Alberti, A. Armando, and S. Ranise. Efficient Symbolic Automated Analysis of 
Administrative Role Based Access Control Policies. In Proc. of 6th ACM Symp. 
on Info., Computer and Comm. Security (ASIACCS'll), 2011. 

7. A. Armando and S. Ranise. Automated Symbolic Analysis of ARBAC-Policies 
(Extended version). Available from http://st.fbk.eu, 2010. 

8. M. Barletta, S. Ranise, and L. Vigano. Verifying the Interplay of Authorization 
Policies and Workflow in Service-Oriented Architectures. In Proc. IEEE CSE'09, 
12th Int. Conf. on Computational Science and Engineering, August 29-31, 2009. 

9. M. Y. Becker. Specification and Analysis of Dynamic Authorisation Policies. In 
22nd IEEE Computer Security Foundations Symposium ( CSF), IEEE, July 2009. 

10. K. Clark. Logic and Databases, chapter Negation as failure, pages 293-322. Plenum 
Press, New York, NY, 1978. 

11. J. Crampton. Understanding and developing role-based administrative models. 
In Proc. 12th ACM Conf. on Comp. and Comm. Security (CCS), pages 158-167, 
ACM Press, 2005. 

12. L. E. Dickson. Finiteness of the Odd Perfect and Primitive Abundant Numbers 
with n Distinct Prime Factors. American J. of Math., 35(4):413-422, 1913. 

13. H. B. Enderton. A Mathematical Introduction to Logic. Academic Press, Inc., 1972. 



14. S. Ghilardi, E. Nicolini, S. Ranise, and D. Zucchelli. Towards SMT Model-Checking 
of Array-based Systems. In Proc. of IJCAR, LNCS, 2008. 

15. W. Hodges. Model Theory. Cambridge University Press, 1993. 

16. N. Li and Z. Mao. Administration in Role Based Access Control. In Proc. ACM 
Symp. on Information, Computer, and Communication Security (ASIACCS), 2007. 

17. N. Li and M. V. Tripunitara. Security analysis in role-based access control. ACM 
Transactions on Information and System Security (TISSEC), 9(4):391-420, 2006. 

18. R. Piskac, L. de Moura, and N. Bjoerner. Deciding Effectively Propositional Logic 
Using DPLL and Substitution Sets. J. of Autom. Reus., 44(4):401-424, 2010. 

19. R. Sandhu, V. Bhamidipati, and Q. Munawer. The ARBAC97 model for role-based 
control administration of roles. ACM Transactions on Information and System 
Security (TISSEC), 1(2): 105-135, 1999. 

20. R. Sandhu, E. Coyne, H. Feinstein, and C. Youmann. Role-Based Access Control 
Models. IEEE Computer, 2(29):38-47, 1996. 

21. A. Sasturkar, P. Yang, S. D. Stoller, and C.R. Ramakrishnan. Policy analysis for 
administrative role based access control. In Proc. of the 19th Computer Security 
Foundations ( CSF) Workshop. IEEE Computer Society Press, July 2006. 

22. S. D. Stoller, P. Yang, M. I. Gofman, and C. R. Ramakrishnan. Symbolic Reach- 
ability Analysis for Parameterized Administrative Role Based Access Control. In 
Proc. of. SACMAT'09, pages 445-454, 2007. 

23. S. D. Stoller, P. Yang, C.R. Ramakrishnan, and M. I. Gofman. Efficient policy 
analysis for administrative role based access control. In Proc. of the 14th Conf. on 
Computer and Communications Security (CCS). ACM Press, 2007. 



Plan of the Appendixes 



We provide some additional material to illustrate and integrate the results pre- 
sented in the paper: 

— Appendix A discusses how to formalize parametric roles in our framework 
and explain that the decidability result for user-role reachability also cover 
this scenario. 

— Appendix B presents the formal details of the termination of the backward 
reachability procedure in Figure 1. 

— Appendix C discusses three related security analysis problems for ARBAC 
polices (namely, inductive policy invariant, role containment, and weakest 
preconditions) and their relationship with the user-role reachability problem. 

— Finally Appendix D describes in some detail an execution of the sym- 
bolic backward reachability procedure Figure 1 on a simple example taken 
from [23]. 

A Formalizing parametric roles 

Here, we explain how it is possible to model ARBAC policies with parametrised 
roles as considered in, e.g., [22]. 

A role schema can be seen as an expression of the form p(p\, ...,p n ) for 
n > 0, where p is a role name and pi is a distinct parameter name i — 1, ...,n. 
Each parameter can take values from a given data type containing an infinite 
number of values. An instance of a role schema is an expression of the form 
p(pi — ti, ■■■,p n = t n ), where ij is a data value or a variable. For example, in the 
university policy considered in [22], the role schema Student (dept, cid) is used for 
students registered for the course numbered cid offered by department dept, the 
role schema Student(dept) is used for all students of a specific department dept, 
and the instance Student(dept = cs,cid = 101) identifies students of the Com- 
puter Science department taking course 101. Role schemas can be overloaded by 
using parameter names; e.g., Student can have one parameter named dept or two 
parameters named dept and cid. A parametrised version of ARBAC policies can 
use parametric roles to express role assignment and revocation in a very compact 
way. For example, in the case of the university policy, one can have the follow- 
ing role schemas: Chair(dept), Student (dept, cid), and TA(dept,cid). Then, a 
can_assign rule is the following: the chair of department D (i.e. a user belonging 
to the role Chair (dept = D)) can assign a student of a department D taking 
course cs (i.e. a user belonging to the role Student(dept = D,cid = CID)) 
to be the teaching assistant of that course (i.e. a user belonging to the role 
TA(dept = D, cid = CID)). 

In our symbolic framework, this situation can be formalized as follows. We 
introduce a predicate symbol extended with an extra argument for each para- 
metric role, i.e. if the number of role names in the role schema p is n, then we 
use a predicate symbol p of arity n + 1 (this technique is standard for exam- 
ple to translate Entity-Relationship diagram schemas to fragments of first-order 



logic). For the example above, we introduce the following predicate symbols: 
Chair, Student, and TA of arity 2, 3, and 3, respectively. We do not use param- 
eter names, instead we fix an order on them so that we can use the standard 
way of building atoms in first-order logic. When a role schema is overloaded, we 
introduce a different predicate symbol in order to disambiguate the situation; a 
simple automated pre-processing phase can be used to eliminate overloading. In 
this context, the 'can assign rule above can be written as follows: 

(Chair(D,r) Aua(u,r) a\ 
Student (D,C I D,n) Aua(u\,r\) A , 
TA(D,CID,r 2 )Aua' = ua®(u 1 ,r 2 ) J 

where the variables r, n , and r 2 are used as the names of the roles corresponding 
to the particular value of the attributes in the role schema. This means that we 
need to require that each relation is functional or, equivalently, that the inter- 
pretation of the predicate symbols must be partial functions. In our framework, 
this can be done by adding suitable formulae to the background theory Tarbac- 
For the example of the university policy considered above, we can simply write 
the following two V-formulae: 

\/D,ri,r 2 .((Chair(D,r 1 ) A Chair(D,r 2 )) n = r 2 ) 
VD,CID,r 1 ,r 2 .((Student(D,CID,r 1 ) A Student (D,CID,r 2 )) n = r 2 ) 
VD,CID, ri ,r 2 .((TA(D,CID, ri ) A TA(D,CID,r 2 )) =► n = r 2 ). 

Notice also that we can specify additional constraints among two or more rela- 
tions if we can express them as V-formulae. It is not obvious how this feature can 
be added to the approach in [22]. For the example above, we have mentioned 
that we can have a role schema Student (dept) for identifying all students in the 
department dept. Indeed, Student (dept, cid) must characterize sub-sets of users 
of the role Student (dept). If we introduce a binary predicate symbol Studenti 
of arity 2 corresponding to the role schema Student (dept) , then we can express 
this by the following V-formula: 

VD,CID,r.(Student(D,CID,r) Student i(D,r)), 

which can be added to Tarbac- 

To summarize, our framework can handle parametrised roles as follows. First, 
the sub-theory Tr q i c of Tarbac becomes many-sorted: besides the sort Role, 
we introduce as many sort symbols — called parameter sorts — as domains for 
the parameters of each role. Furthermore, for each role symbol p of arity n, 
we introduce a predicate symbol of arity n + 1. Overloading is eliminated by 
introducing decorated versions of the predicate symbol and an order on the 
parameter names is fixed so that we can use the standard way of building atoms 
of first-order logic. Second, for each predicate symbol p of arity n+1, we add 
the following functional constraint to Tr i s and hence to Tarbac- 



Vx,n,r 2 .((p(x,ri) A p(x,r 2 )) n = r 2 ), 



where x is a tuple of length n of variables of appropriate sorts. If needed, we 
can add further constraints, (e.g., formalizing relationship between different role 
symbols) if these can be expressed as V-formulae. For example, it is worth notic- 
ing how to express the role hierarchy for parametrised role. Besides the usual 
axioms requiring > to be a partial order, we can add also V-formulae of the 
following form: 

yx,y,r 1 ,r 2 .{{pi{x,r 1 ) A p 2 (y,r 2 )) r 1 ^ r 2 ), 

where x, y are tuples of variables of appropriate sorts, p\, p 2 are two predicates 
representing parametric roles. This axiom requires that all instances of the para- 
metric role pi are senior than those of role p 2 . Notice that one can design more 
sophisticated hierarchical relationships between role instances depending on the 
values of the parameters, provided that the signature is rich enough to express 
the constraints between the values of the parameters and that only V-formulae 
are used. 

Finally, can_assign and can_revoke actions can be written by using existen- 
tially quantified variables ranging over the parameter names besides those rang- 
ing over users and roles; thus generalizing the shapes of actions (1) and (2). 
Formally, transitions have the following forms: 

3u,r,ui,n,r 2 , —,r k ,p. (C(u,r,ui,ri,r 2 , ...,r k ,p)A ua' = ua® {u 1 ,e r )) 
3u, r, u\,p. (C(u, r, Ui,p) A ua' = ua (m, e 1 *)) 

where p is a tuple of variables of parameter sorts and C is a constraint in which 
also literals built out of the predicate symbols introduced for modelling para- 
metric roles may occur. 

All the results proved in Sections 4 and 4 can be easily extended to cover 
ARBAC policies with parametric roles as soon as we observe that the formulae 
introduced here satisfy the assumptions on the theory Tarbac of Section 3. 

B Termination of backward reachability 

B.l Pre- and well-quasi-orders: definitions and basic properties 

A pre-order (P, <) is the set P endowed with a reflexive and transitive relation. 
We say that < is decidable if, given p\ and p 2 in P, we can algorithmically check 
whether pi < p 2 . An upward closed set U of the pre-order (P,<) is such that 
U C P and if p G U and p < q then q € U. A cone is an upward closed set of 
the form f P = {q € P | p < q}. An upward closed set U is finitely generated iff 
it is a finite union of cones. 

For an upward closed set U, a generator of U is a set G such that (a) U = 
U ffG G t 9 and ( b ) 9i < 92 implies g x = g 2 , for every g u g 2 E G. It is easy to 
see that G contains only minimal elements (w.r.t. <) but, in general, it needs 
not to be unique. In any case, it is always possible to define a function gen(U) 
returning a unique generator of U (the same chosen among the many possible 
ones) . 



A pre-order (P, <) is a well-quasi-ordering (wqo) iff every upward closed sets 
of P is finitely generated (this is equivalent to the standard definition of wqo, 
see [14] for a proof). In the case of a wqo, gen(U) is finite because of property 
(b) of the definition of generator of U. This implies that every upward closed set 
U can be characterized by a finite set of configurations, namely gen(U). 

B.2 Some notions and results of model-theory 

Let AA be a ^-structure. A substructure of AA is a Z'-structurc Af whose domain 
is contained in that of AA and such that the interpretations of the symbols of S 
in Af are restrictions of the interpretation of these symbols in AA; conversely, we 
say that A4 is a superstructure of Af. Let C be a class of structures; we say that 
C is closed under substructures if AA € C and Af is a substructure of AA, then 
AfeC. 

Property 3. A class C of structures is closed under substructures iff there exists 
a theory T such that T contains only V-formulae and Mod(T) = C. 

A proof of this result can be found in any book on model theory, e.g., [15]. 

Let AA and Af two structures over the same signature S and M, N be their 
domains, respectively; an embedding s is an injective mapping from M to N 
such that (i) s(f M (e 1 , e„)) = / A/ '(s(e 1 ), s(e„)) for each function symbol 
/ in the signature S and (ii) (ei, e„) G R M iff (s(ei), s(e m )) G Af for each 
predicate symbol R in S, where (ei, e n ) is a tuple of elements in M of length 
equal to the arity of / or R, respectively. In other words, an embedding is a 
homomorphism that preserves and reflects relations. It is possible to show (see, 
e.g., [15]) that any embedding can be seen as the composition of an isomorphism 
followed by an "extension," i.e. if there is an embedding from AA to Af, we can 
assume that A4 is a substructure of Af (or dually, Af is a superstructure of A4). 

Abstractly, (Robinson) diagrams give a logical formulation of model theoretic 
properties such as "there exists an embedding from structure A4 to structure 
Af." The importance of this will be clear when considering the definition of the 
pre-order on configurations (given in terms of the existence of an embedding 
between structures). Let A4 be a ^-structure and A be a sub-set of the domain 
of A4; S(A) is the signature obtained by adding to E new symbols of constants 
a for a G A. We can regard AA as a Z'(A)-structure when the interpretation 
function of AA is extended so that every element a in A is mapped to the constant 
a. The (Robinson) diagram of A in AA, in symbols 5m(A), is the set L of all 
I7(j4)-literals such that AA \= £, for every £ G L. 

Lemma 2 (Diagram Lemma). Let AA and Af be two £ -structures and M be 
the domain of AA . Then, there exists an embedding from AA to Af iff Af can be 
expanded to a S{M)- structure which is a model o/5x(M). 

The proof of this fact is an immediate consequence of the definition of Robin- 
son diagram given above and can be found in any book on model theory (see, 
e.g., [15]). 



B.3 A pre-order on configurations: formal definition 

Let r be a symbolic ARBAC policy, i.e. 

r := (In(ua), {n(ua, ua'), r n (ua, ua')}, {i\(ua), i m (ua)}) 

where In is a V-formula, Lj is a V-formula, and r» is a transition formula of the 
forms (1) and (2). 

Recall that a state of the ARBAC policy r is a structure AA G Mo<1{Tarbac)- 

Definition 1. A configuration of T is a state AA where M is a finite model, 
i.e. the cardinality of the domain of M is bounded. 

We are now in the position to define the pre-order on configurations. 

Definition 2. Let AA and AA' be configurations. We write AA < AA' iff there 
exists an embedding s from AA to AA' . 

B.4 From 3-formulae to configurations... 

We show that 3-formulae identify configurations. To state this result formally, 
we recall the following notation: [[K]] := {AA G Mod(TARBAc) I M. \= K}, for 
K an 3-formula. 

Proposition 1. For every 3-formula K , the set [[K]] is upward closed. 

Proof. Since the union of an upward closed set is still an upward closed set, we 
assume — without loss of generality — that K{ua) is of the form 3r,u.ip(r, u, ua) 
where u, r are tuples of variables for users and roles, respectively, and tp is a 
conjunction of literals (as we can always transform a Boolean combination of 
atoms into disjunctive normal form and then distribute the existential quantifiers 
over the disjunction). Under these assumptions, showing that [[K]] is upward 
closed amounts to prove that if the configuration A4 € [[K]] and M. < N , then 
Af G [{K}}, i.e. Af \= K. Now, assume that M G [[K]] and M < Af. This implies, 
by definition of [[•]], that (a) Ad |= K and (b) there exists an embedding s from 
AA to Af. From (a), by definition of truth, it follows that there exist tuples e u 
and of sort User and Role, respectively, such that AA |= K(e^_, (f). From (b) 
and the definition of embedding, we derive that 

M h K(e^,(T) iff Af h K(s(e^,ef)). 

The last two facts (and the well-known property that truth of quantifier-free 
formulae is preserved when considering superstructures) imply that Af \= K, as 
desired. This concludes the proof that [[K]] is upward closed. □ 

We show that entailment between 3-formulae is equivalent to containment among 
configurations. 

Proposition 2. [[Ki]} C [[K 2 ]] iff Ki ==> Ki is valid modulo Tarbac, f or every 
pair of 3-formulae Ki,K 2 , 



Proof. There are two cases to consider. The 'if case is trivial: it is an immediate 
consequence of the definition of truth. For the 'only if case, we prove that if 
Ki => K 2 is not valid modulo Tarbac, then [[Ki]] % [[i^]]- Assuming that 
K\ => K 2 is not valid modulo Tarbac is equivalent, by refutation, to say that 
-^{Ki => K 2 ) (or K\ A ~^K 2 ) is satisfiablc modulo Tarbac- In turn, this implies 
that Ki A ~^K 2 is satisfiable in a finite model according to the proof of the 
decidability of the BSR class. From this and Proposition 1, we can derive that 
[[Ki]} n [[i^2]] c 7^ (where - c denotes the set complement operation). By simple 
set-theoretic manipulations, we derive [[Ki]] % [[^2]], as desired. □ 

Lemma 1 is an immediate consequence of Propositions 1 and 2. 

B.5 ... and viceversa: from configurations to El-formulae 

We show that finitely generated upward closed sets of configurations are config- 
urations of the form [[K]], for some 3-formula K. To do this, we use Robinson 
diagrams (introduced in Section B.2) since they give a logical formulation of 
model theoretic properties such as "there exists an embedding from structure 
M. to structure J\f." The importance of this is clear as soon as we recall the defini- 
tion of pre-order over configurations that requires the existence of an embedding 
among structures to show that a configuration precedes another according to 
the pre-order. The main obstacle in using diagrams is that the formula 5m(M) 
usually contains infinitely many literals. Fortunately, in our case, it is possible 
to show that we can consider only a finite sub-set of literals in 5m (M) as all the 
others are implied by those in the sub-set. 

Proposition 3. The following facts hold: 

(i) with every configuration M , it is possible to effectively associate an 3-formula 
Km (called diagram formula (for M)) such that [[Km\\ =t -M, 

(ii) with every 3-formula K, it is possible to effectively associate a finite set 
{Mi, M n } of configurations such that K is equivalent to VILi ^Mn 

(iii) any finitely generated upward closed set of configurations coincides with 
[[K]}, for some 3-formula K. 

Proof. We consider the three cases separately. 

(i) Let Ai be a configuration and consider the "diagram" 5m (§1, §L) where e" 
and <f_ are finite tuples of users, roles, and permissions, respectively, that are 
also in the domain of M. 

Remark 1. Notice that Sm(§!L,sO is not the Robinson diagram as defined 
above; however, it turns out to be equivalent to <5»({e" | i > 0} U {e*" | i > 
0}), i.e. the "real" diagram. This is so because in any model of a BSR the- 
ory, there are only finitely many distinct atoms that "matter," which arc 
precisely those in 5m {§"Li §0 , because when checking for satisfiability we can 
always restrict to those constants that occur in the formula to be checked for 
satisfiability as discussed in the sketch of the proof of Property 2. (Recall, 



in fact, that by applying Herbrand theorem, the Herbrand universe is finite 
and composed only of the constants occurring in the formula.) So, below, we 
refer to #A/f (e", e r ) as the diagram and we treat it as the conjunction of its 
elements (i.e. as a first-order formula) since it is finite. □ 

Now, take Km to be the following 3-formula: 3u, r.^(u, r). We are left 
with the problem of proving that [[-Ka-i]] =t -M- By the definitions of 
an d t -M, this is equivalent to show that a configuration J\f is in 
[[ifjvt]], or — equivalently — N |= 3u,r.^x(u, r) iff M. < N. Now, assume 
TV |= 3u,t\#m(m, r) ; which is equivalent to TV <5a/I (e M , e r ). By the Dia- 
gram Lemma (i.e. Lemma 2 above), this is equivalent to the existence of 
an embedding from M to TV, which — in turn — is equivalent to A4 < J\f, by 
definition of < . 

(ii) Without loss of generality, we can assume K to be 3u, r. Vfc=i <Pk{u, r). For 
each k = 1, n, we can also assume (again without loss of generality) that 
there exists an existentially quantified variable x in u U r such that x = t, 
for each constant in K. In this way, all the elements are explicitly mentioned 
in K. Now, in a BSR theory, every quantifier-free formula with at most m 
free variables is equivalent to a disjunction of the diagram 5m (^Q where 
M is a substructure of a model in the theory and X is a set of elements of 
cardinality at most m. Thus, K can be rewritten as 

\J 3u,r.S A (u, r) 

A 

for A ranging over the models whose cardinality is m (recall that the class 
of models of a BSR theory is closed under substructures). Each disjunct 
can be unsatisfiable, because it does not agree with the interpretation of 
ua, or satisfiable and, in this case, the model A is a configuration such that 
3u, r.S^(u, r) is precisely as desired. 

(iii) An immediate corollary of (i) and (ii) above. □ 

The results in this and the previous subsection tells us that 3-formulae and 
configurations can be used interchangeably. 

B.6 Proof of termination of backward reachability 

Theorem 1. The backward reachability procedure in Figure 1 terminates. 

Proof. First of all, notice that when the algorithm return reachable, it also ter- 
minates (line 3). So, we consider the case when the goal is unreachable. Let 
B(t,K) := \J 1>0 [[BW(t, K)]]. There two cases to consider. 

— Let K be the 3-formula given in input to the algorithm and assume that 
B(t, K) is finitely generated (that B(t, K) is an upward closed set is obvious 
because it is obtained as union of upward closed sets since [[K\] is so by 
Proposition 1). Because of Proposition 2, we have that 



[[BR°(t,K)}} C [[BR 2 (r,K)}} C ... C [[BR n ( T ,K)]] C [[BR n+1 (r, K )]] C 



Because B(t, K) is finitely generated, we have that there exists n such that 
[[BR n (T,K)}} = [[BR ,1+1 (t,K)}} and, again by Proposition 2, we derive 
that BR n (r, K) <=> BR n+1 (T, K) is valid modulo T ARBAC , i.e. the algorithm 
halts. 

— Assume that the algorithm terminates. By Proposition 2, this is equivalent 
to BR n (T,K) BR n+1 (T,K) is valid modulo T ARBAC which, by Propo- 
sition 2, is equivalent to [[BR n (T,K)}} = [[BR n+1 (T, K)]], for some n > 0. 
Notice that B(t,K) = [[BR n (T, K)]] is finitely generated by Proposition 3. 

So far, we have proved that the backward reachability procedure in Figure 1 
terminates iff B(t, K) is finitely generated. Thus, to conclude the proof, we show 
that B(t, K) is indeed finitely generated. To this end, if we are able to prove 
that the pre-ordcr on configurations is a wqo, then are entitled to conclude that 
B(t,K) is finitely generated (recall the definition of wqo in Section B.l). Now, 
the pre-order on configurations is a wqo by Dickson's Lemma [12]. In fact, a 
configuration is uniquely determined by a pair of integers counting the number 
of pairs (u, r) for which ua(u, r) holds and the configuration ordering is obtained 
by component-wise comparison. This concludes the proof. □ 

Combining the results above, we derive the main result of this paper, i.e. Theo- 
rem 2. 

C Decidability of related security analysis problems 

Here we consider three security analysis problems which are related to user-role 
reachability and discuss their decidability. 

Inductive policy invariants. In [9,8], the problem of checking properties that 
remain unaffected under any sequence of actions of arbitrary (but finite) length 
is considered. This is the dual problem of user-role reachability; in fact, it is 
not difficult to prove that if the backward reachability procedure terminates 
(with unreachable), then the fix-point is the strongest invariant. More precisely, 
In other words, a policy invariant is a formula which holds in every state of an 
ARBAC policy. In our framework, the problem of checking whether a property 
is an inductive invariant (a particular case of a policy invariant) turns out to 
be decidable because of Property 2. Let r := {In, {n}, {ij}) be a symbolic AR- 
BAC policy. The V-formula ip{ua) is an inductive (policy) invariant for r iff (a) 
In(ua) => xp(ua) is valid modulo T ARBA c and (b) (t(ua) Aip{ua) Ar(ua,ua')) => 
ip(ua') is valid modulo T ARBAC . It is easy to see that (a) and (b) can be reduced 
to the satisfiability of BSR formulae. In fact, (a) is equivalent to the unsatisfia- 
bility modulo T ARBA c of In(ua) A-iip(ua), which — in turn — can be transformed 
to a formula of BSR. Similarly, (b) is equivalent to the unsatisfiability modulo 
Tarbac of i(ua) Aip(ua) Ar(ua, ua')A^ip(ua') which is again logically equivalent 
to a BSR formula. These observations with Property 2 imply the following fact. 

Theorem 3. The problem of establishing if a V '-formula is an inductive policy 
invariant is decidable. 



Indeed, checking inductive invariants is a lot cheaper than running the backward 
reachability procedure. The drawback is that if a property ip fails to be an 
inductive invariant, then we cannot conclude about its being an invariant of F 
(in other words, inductive invariants are a strict sub-class of policy invariants). 
However, we can take the complement ->ip (which is an 3-formula) of ip and run 
the backward reachability procedure. If this returns unreachable, then we can 
conclude that ip is an invariant of r. 

Role containment. The problem of role containment for a symbolic ARBAC 
policy r consists of checking if every member of a certain role, say e\, is also 
member of another role, say eJJ, in every state reachable from the initial state. 
For simplicity, assume there is no role hierarchy. It is easy to reduce this to the 
user-role reachability problem by considering a role ej* not occurring in r and 
the following can-assign action: 

3u, r, n. (ua(u, r) A r — e\ A -ma(ui, n) A n = e r 2 A ua' — ua® (u, e r k ) ) . 

Let P be obtained by adding the action above to r. It is easy to see that the 
role containment problem for r is solvable iff role e r k is reachable by J". 

Weakest precondition. The weakest precondition problem for a transition system 
r and goal 7 consists of computing the minimal sets of initial role memberships 
of a given user e k for which 7 is reachable. This can be reduced to the user-role 
reachability problem by taking Vu, r.^ua(u, r) as the initial state formula In and 
then using a refinement of the backward reachability procedure in Figure 1. The 
refinement consists of using 3-formulae whose matrix is a conjunction of literals 
only; this is without loss of generality as any 3-formula can be transformed to a 
finite disjunction of 3-formulae whose matrices are conjunctions of literals, called 
3 + -formulae, by simple logical manipulations, and representing the search space 
by a forest of trees whose nodes are labelled by 3 + -formulae. 

The root nodes are labelled by the 3+-formulae whose disjunction is equiv- 
alent to the goal 7. Then, we iteratively extend each tree by selecting a node 
with no sons by adding as many sons as the number of 3+-formulae which are 
equivalent to the pre-image of the formula labelling the father node. After the 
creation of a node n, we check whether a fix-point has been reached as follows. 
First, we consider the formula ip labelling node n. Second, we take the disjunc- 
tion of the 3 + -formulae labelling all the nodes in the tree except ip: it is not 
difficult to see that this is equivalent to the content of the variable B of the 
procedure in Figure 1, i.e. it is the set of backward reachable states. Third, we 
check the satisfiability of A ip) => B), which is similar to the check at line 2 
in Figure 1 except that ip is an 3 + -formula instead of an 3-formula. Because the 
pre-order on configurations is a wqo, it is possible to show that this procedure 
always terminates with finitely many trees. At this point, we collect all the 3+- 
formulae labelling the nodes of the trees in the forest, compute the corresponding 
configurations (this is always possible because of Lemma 1, and take only those 
sets where the interpretation of ua has the minimal number of occurrences of 



the user e\ as the first component. Since all the computation are effective, the 
procedure terminates. 

By these reductions, we obtain the decidability of these two security analysis 
problems. 

Theorem 4. The containment and weakest precondition problems are decidable. 
D A worked-out example 

We consider a simple reachability problem in [23]. There are several simplifying 
assumptions made by the authors of [23] that allow us to: (i) ignore permissions 
and focus only on roles, (ii) the role hierarchy can be abstracted away, (iii) there 
is just one administrative role and user capable of executing an administrative 
action of assignment, and (iv) there exists just one user to which administrative 
actions can be applied. As a consequence, a can_assign action can be seen as 
pair (C, r') (where the administrative role has been omitted) while a 'can revoke 
action only identifies the role r' to be revoked and ignore the administrative role 
that is supposed to apply the action, hence its specification will simply be (r 1 ). 
Under these assumptions, the ARBAC policy considered in [23] consists of the 
following can_assign actions: 
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where we have dropped the numerical subscript of the constant e u denoting a 
user because of assumption (iv); and the following 'can revoke actions: 
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The initial state so of the ARBAC system is the following: 

s (ua) :={( e u ,eD,(e u ,eD,(e",e;)}, 

and the goal is to reach a state where the user e" can be assigned to role eg. As 
said in [23], the goal is not reachable from the initial state. Below, we explain how 



to show that this is indeed the case in our framework and using the backward 
reachability procedure in Figure 1. 

First of all, we specify the theory T ARBAC := T Role UT User UT Permission UPA 
as follows: 

T R oie := SV({e[, eg}, Role) 
T User := SV({e u }, User) 

T Permission • 

PA : = 0. 

The formula In{ua) characterizing the set of initial states is expressed by 

( {u = e u Ar = e\) v\ 
Vu, r.{ua{u, r) (n = e"Ar = eJ)V 

\ (u = e u A r = e£) / 

The goal formula 7(ua) characterizing the set of goal states is expressed by 

3u, r.(ua(u, r) A u — e u A r = eg). 

Notice that because of assumption (ii), the restricted form of negation allowed in 
the preconditions of transitions of the form (1) is sufficient to precisely describe 
the 'can assign actions above: 

can.assign-L : 3u, r.(ua(u, r) A r — e\ A ua! — ua® (u, e 2 ) 

can_assign 2 : 3u, r.(ua(u, r) A r = e r 2 A ua' = ua® (u, e^) 

-. ( uaiu, r) A r — el A ^ua(u, ri) A r\ = e\A \ 

can-assign 3 : 3u, r, r\.\ , ■ ' , r \ 

& d \ua' = ua® (u, eg) J 

can_assign 4 : 3u, r.(ua(u, r) A r — el A ua' — ua® (u, eg) 

can_assign 5 : 3u, r.{-^ua{u, r) A r = e r 2 A ua' = ua ® (u, e£) 

can_assign e : 3u, r.(ua(u, r) A r = e r 7 A ua' = «offi (u, eg). 

The can_revoke actions can be expressed as follows: 
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Now, we can explain how the backward reachability procedure works on the 
example. In order to simplify the presentation, in the following, we use a vari- 
ant of the backward reachability procedure in Figure 1. The differences are the 
following. First, instead of considering the disjunction of all the possible actions 



and compute the pre-images of the goal with respect to this complex formula, we 
consider the pre-images of the goal with respect each possible action separately. 
Indeed, this allows us to write more compact formulae and, since it is easy to 
see that pre-image computation distributes over disjunction, it is sufficient to 
take the disjunction of the pre-images computed with respect to a single action 
to obtain the same formula computed by the procedure in Figure 1. Concern- 
ing the satisfiability checks, while the reachability test can be done as soon as 
we obtain a (satisfiable) pre-image with respect to a single action, the fix-point 
check requires a bit of care. In fact, after obtaining a (satisfiable) pre-image, 
the fix-point is local to that pre-image in the sense that all the (satisfiable) pre- 
images with respect to the remaining actions must also be checked for fix-point. 
Hence, a global fix-point is reached only when all the local fix-point are suc- 
cessful. Furthermore, each local fix-point check must be done by conjoining the 
actual pre-image with conjunction of the negation of each pre-image previously 
computed. It is not difficult to see that the global fix-point corresponds to the 
fix-point check of the procedure in Figure 1. 

First of all, the backward procedures computes the pre-image of 7 with re- 
spect to each can_assign and can_revoke actions. To illustrate how one of the 
pre-image computation is done, let us consider Pre(can_assign 4 , 7), i.e. 

3ui, ri.(ua'(ui,ri) A u± — e u A r± — eg) A 
3u 2 , r 2 .(ua(u 2 , r 2 ) A u 2 — e u A r 2 = eg A ua' — ua(B (u 2 , eg) 

where variables have been renamed to disambiguate the scope of applications 
of the existential quantifiers and ua' is implicitly existentially quantified. The 
formula can be rewritten as follows: 

(ua'(ui, ri) A u 1 = e u A r 1 = eg)A 
ua(u 2 , r 2 ) Au 2 =e"Ar 2 = egA 
ua' = Xw,r.(if (iu = ii 2 Ar = eg) then true else ua(w,r)) 

by simple logical manipulations and recalling the definition of ®. Then, substi- 
tuting the A-expression we derive: 

(Xw,r.(if (w = u 2 A r = eg) then true else ua(w, r))(u\, ri)A 
Ml = e u A 77 = eg) A ua(u 2 ,r 2 ) A u 2 — e u A r 2 — egA 
ua' — \w, r.(if (iD = ii 2 Ar = eg) then true else ua{w, r)) 

which can be furtherly simplified as follows by using /3-reduction: 

((if (m = u 2 A n = eg) then true else ua(u\,r\))A 
Mi = e u A n = eg) A ua{u 2 ,r 2 ) A u 2 — e u A r 2 = egA 
ua' = \w,r.(if (m = u 2 Ar = eg) then true else ua(w,r)) j 

Now, we observe that U\ — u 2 is valid modulo Tarbac since Ty ser constrains 
the set of users to be the singleton set {e u } and that r\ — eg holds because it 
occurs in the formula above. Hence, we can simplify the formula above as follows: 



3u 1 ,r 1 ,u 2 ,r 2 .(u 1 = e u A n = eg) A ua(u 2l r 2 ) A u 2 = e u A r 2 = eg) 



where ua' has been dropped since the equality ua' — Xw, r.(- ■ •) is easily seen to 
be always satisfiable (this is so because to make the equality true, it is sufficient 
to take ua' equal to the A-expression on the right) . Finally, simple considerations 
on the quantified variables allow us to simplify the last formula even further so 
as to obtain: 



whose matrix is a policy constraint, exactly as the matrix of 7. This is not an 
accident as it is possible to show that that the class of existcntially quantified 
formulae whose matrix is a policy constraint are closed under pre-image compu- 
tation. Let B be 7 and B\ be the last formula above. The backward procedure 
performs a satisfiability check of the conjunction between In and B\, i.e. of the 
following formula: 



so as to check whether the goal has been reached. Skolemizing the two existen- 
tially quantified variables, we obtain: 



where r and u are fresh constants. Now, observe that the universally quantified 
variable u can only take one value as we have assumed that the set of users 
contains just one element e u ; hence it must be u = e u . So, we are left with the 
problem of instantiating the universally quantified variable r. The decidability 
result of Property 2 allows us to consider only the instances of the formula where 
u is instantiated to e u and r to f. It is not difficult to see that the resulting 
formula is unsatisfiablc, thus entitling us to conclude that the sets of states 
characterized by B\ and In are disjoint and the goal state is not reachable by 
applying can_assign 4 . 

Then, the backward procedure proceeds to check for a fix-point. This is equiv- 
alent to the validity of B\ B n or to the unsatisfiability of its negation, namely 
B x A -^B : 



As before, wc Skolcmize the existentially quantified variables so as to obtain the 
following formula: 



where u, f are fresh constants. As before, because of Property 2, without loss 
of generality, we can restrict to consider the formula obtained by instantiating 



Bu, r.(ua(u, r) A u — e u A r = e T 5 ), 



Vu, r.(ua(u, r) ^> (u = e u A r = e\) V ) A Bu, r. 








u to e u and r to f: this time, however, we conclude that the formula is satisfi- 
able. Thus, we have shown that a fix-point has not been reached and we need to 
compute the pre-images of B x w.r.t. the all the can.assign and can_revoke ac- 
tions. However, before computing the pre-images of B\, we also need to compute 
the pre-images of B$ w.r.t. r in {can^assign^i = 1, 2, 3, 5, 6} U {can_revokci\i = 
1, .., 6}, i.e. for the remaining assignments and revocations. This turns out to be 
useless as all the formulae obtained in this way characterizes sets of states that 
are sub-sets of those specified by 7 or, in other words, we have reached a (lo- 
cal) fix-point. For the sake of conciseness, we do not do this here. However, the 
reader can verify this as a simple exercise by following the steps taken above for 
computing Pre(can_assign A , U) and checking for safety and fix-point. Similar ob- 
servations hold also for the pre-images of B\ : it turns out that all these formulae 
implies Bi, i.e. several (local) fix-point have been reached, and are unsatisfiable 
when considered in conjunction with In, i.e. they pass the safety check. As a 
consequence, we can conclude that we have reached a (global) fix-point and the 
goal is not reachable. 



